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1 Developing the Internal Audit Plan 


1.1 Overview of our internal audit approach 

Our role as internal auditor to an executive NDPB is to provide an 
independent and objective opinion to the Management Board on the 
adequacy and effectiveness of its risk management, control and governance 
processes. Our approach, as set out in the firm's Internal Audit Manual, is to 
help the organisation to accomplish its objectives by bringing a systematic, 
disciplined approach to our evaluation and to help improve the effectiveness 
of its risk management, control and governance processes. 


Our approach complies with best professional practice, in particular, the 
standards for internal audit promulgated by HM Treasury (Public Sector 
Internal Audit Standards, PSIAS), and the Institute of Internal Auditors’ 
guidance on risk-based internal auditing. We also comply in all material 
respects with other Government guidance applicable to executive NDPBs. 
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1.2 Our Internal Audit Plan for the Information 
Commissioner's Office 
Our proposed 2015-16 Internal Audit Plan has been prepared based upon: 


e your latest risk register; 
e our understanding of your key challenges and objectives; and 
e discussions with management. 


In taking this approach, and in compliance with PSIAS requirements, the 
Internal Audit Plan is developed to enable us to provide distinct assurance 
to the Management Board and the Information Commissioner (as 
Accounting Officer) as to the adequacy and effectiveness of the risk 
management activities and controls in each of the three areas of: 


e risk management; 
e governance; and 
e internal control. 
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2 Internal Audit Plan 2016-17 


2.1 Reporting outputs 
Our Internal Audit Plan will deliver the following reporting outputs to 
management and the Audit Committee throughout the year: 


e audit planning briefs; 

e assignment reports; 

e progress reports to the Audit Committee; and 
e = Internal Audit Annual Report. 


Audit planning briefs 

Every internal audit assignment will have audit planning brief that must be 
agreed with you before we begin any audit fieldwork. As well as capturing 
the background of the audit area, the scope of the review and the approach 
we will take, it also identifies key members of your staff who we will engage 
with and a timetable for fieldwork and reporting. It is prepared following 
detailed planning meeting(s) with your nominated client leads, and typically 
takes place six to eight weeks before our fieldwork begins. Each brief is 
subject to our usual quality assurance arrangements, i.e. is reviewed by the 
engagement manager and partner before it is issued to you for approval. 
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Assignment reports 
We produce a separate assignment report for every review in the Plan. It 
has two core sections: 


e an Executive Summary of the scope, key findings, best practice and our 
rating for the review area 

e a schedule of our detailed findings, including our agreed audit 
recommendations and your management response. 


We issue the assignment report in draft for your consideration and response 
within 15 days of completing our fieldwork. It is subject to our internal 
quality assurance review processes before it is issued in draft. 


Progress reports to management and the Audit Committee 

We issue a progress report to support to each meeting of the Audit 
Committee that shows the current status of each assignment in the Plan and 
highlights any emerging risks that may warrant a variation to the Plan. 


Internal Audit Annual Report 
Our Internal Audit Annual Report will contain our annual opinion on risk 
management, governance and internal control. It will summarise: 


e the opinion and level of recommendations for each audit assignment; 

e how each review has informed the annual opinion we give, and the 
reasons behind any qualification we may give; 

e progress made in addressing any significant findings; and 

e our performance against agreed performance indicators. 
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2.2 Proposed Internal Audit Plan 
We identify below the areas agreed for consideration in the Internal Audit Plan, which we will keep under review throughout the year. 


Audit Budget estimate 
bond PA a 
| Qi | Q2 | G3 | G4 | 


Reviews for consideration 


Fines Review the process in place to recover fines issued to organisations that remain unpaid. The review will are cover Will 
recovery how unpaid fines are identified, performance measures of fine payment are reported and the success of follow up Simpson 6 
activities to recover fines to ensure this process is efficient and effective. p 
IT service An IT operational review of the IT services delivered to ICO, considering performance management of suppliers, 
delivery contract management with Northgate and how the ICO determines whether those services are meeting user needs. Paul 7 
The review has been timed to allow any lessons learnt or findings to be considered as part of establishing new IT Eckersley 
contacts, expected in October 2016. 
GDPR project Provide assurance over the project to manage the impact of GDPR on the ICO, including governance over the change 
programme and interactions with other parts of the ICO. The review will include how the ICO have resourced the Will 8 
project and the activity to backfill project members' roles and the recruitment for the new activities as ICO takes Simpson 
responsibility for GDPR. 
Investigations The review will cover how the ICO manages investigations through communication with stakeholders, the use of Will 
frameworks, gathering intelligence and finally reporting on investigations. Where possible, we will benchmark against Simson 9 
other regulators management of investigations. p 
People People are a key part of the ICO and the management have established that the organisation needs to ensure it has 
Strategy "the right people, in the right place at the right time". The review will consider how staff performance is managed Will 
across the organisation and that managers are properly prepared to implement performance management to ensure Simpson 8 
consistency. The review will also consider the progress of recommendations made from the staff performance review p 
in 2015-16. 
Stakeholder ICO is tasked with communicating key messages on data protection (and in the future data privacy) and access to 
engagement information. A review will establish how those communications are prepared and published including thought Will 
leadership. The focus will be on how strategic activity is determined, agreed and approved, including consideration of Sin ean 11.5 
the impact of GDPR on these activities. The review will also determine how the target audience is selected and the P 
medium to use. How the ICO measures the success of such communication will also be assessed. 
Follow Up Review of the arrangements to capture and implement audit recommendations in a timely manner. Paul 3.5 
Eckersley ; 
Sub-total by quarter 6 is | Uv | Is 
Planning, continued liaison, attendance at Audit Committee, annual reporting 8 
TOTAL 61 
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2.3 Reviews considered and deferred 
The following areas were discussed with management but have been deferred: 


Sharepoint ICO continue to develop new systems and a replacement is needed for Meridio. The review 
implementation advisory will provide advice on the implementation options available when using Sharepoint, based 5 days Have advisors in place 
upon our experience of other organisation’s implementation. 


Fee Forecasting Future work and organisational planning will become more reliant upon the ability of the ICO 
to forecast its income. The ICO has historically used to a budget model where expenditure 
could not exceed the budget. However, if the ICO was able to establish the expected 
income from Registration Fees, the ICO may be able to plan more strategically and hence 7 days 
deliver more services (such as investigations, education programmes, audits). The audit will 
establish how the ICO established what the income should be from fees and incorporate the 
process to chase outstanding fee payment. 


Income is meeting 
organisation's 
requirements — possible 
future review 
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2.4 Reviews to be considered for future audit plans 


2017-18 2018-19 


Core processes The new Information Commissioner will be appointed in 2016 and may wish to gain 

assurance over core processes. The review will cover areas such as Finance, Operations, 

Corporate Governance (corporate/business planning) and Risk Management. The timing of 8-10 
the review depends on the new Commissioner and may need to be brought forward into the 

current audit plan. 


(may be brought forward into 2016-17 plan) 


GDPR implementation General Data Protection Regulation is expected to be finalised in 2016 and individual 
countries have until 2018 to implement the regulation. The ICO is establishing a programme 
of work to deal with the impact of GDPR which is planned to be covered in the 2016-17 
audit plan. This review is to confirm that the programme has met its objectives. 


8-10 


Fee income changes/fees forecasting Future work and organisational planning will become more reliant upon the ability of the 

ICO to forecast its income. The ICO has historically used to a budget model where 

expenditure could not exceed the budget. However, if the ICO was able to establish the 

expected income from Registration Fees, the ICO may be able to plan more strategically 7 
and hence deliver more services (such as investigations, education programmes, audits). 

The audit will establish how the ICO established what the income should be from fees and 

incorporate the process to chase outstanding fee payment. 


(Review deferred) 


Recruitment/performance management Internal Audit reviewed recruitment and staff performance management in 2015-16, 
identified a number of areas of improvement and this review is to follow up this review. The 
main focus of the review will be to establish that recruitment and staff performance is 7 
meeting the requirements of the ICO, especially as the impact of changes to the ICO role 
(such as the implementation of GDPR) remain unknown. 


Sharepoint implementation ICO continue to develop new systems and a replacement is needed for Meridio. The review m , 
(Timing is uncertain — dependent on project) will provide assurance on the implementation of using Sharepoint to replace Meridio. : 73 
IT service delivery (post contractual changes) The contract with Northgate has a break point in 2017, and therefore it is a possibility that 

the replacement contract, may expire in 2020 and planning for a replacement will need to 8-10 


take place in 2018. The review will focus on the planning for extension or replacement of 
the contract. 
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Budget estimate 


: Audit year 
Review 
2017-18 2018-19 


Case management system replacement The case management system is expected to be implemented within ICE, to replace 
CMEH. The expectation is that the development / implementation in 2017-18. The review 
will establish that the requirements of the ICO have been captured and that a project / 7 
project team is in place to implement the necessary changes. 


e Accommodation was considered as an area to review. The next lease break-point for Wycliffe House will be 31 December 2021. The ICO will need to 


prepare its position two years in advance; ie during 2019/20 and hence the review is not included at this stage. 


e Internal compliance & information governance was considered but management concluded that internal ICO experts are best placed to review practice. 
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3 Resources and scheduling 


3.1 Resources to deliver the Internal Audit Plan 3.2 Previous,Internal Audit plans 
Based upon the assignments proposed in our indicative Plan, the mix of The table below sets out the assurance provided over the last three years 
staff we propose to deploy is summarised in the following table. audits and provides information on the previously. 


Proportion of Daily rate* Review 13-14 14-15 15-16 
Days Time (%) ar 
New finance system — benefit realisation 


Business Risk Services Saif Cauma : 
Partner/Director 4.5 i £1,523 Staff performance management 7 
Associate Director 10.5 17 £1,156 Core operations (post-Eagle) x 
IT Audit Manager 5 8 £998 core financial controls x 
IT Executive 5 8 £707 Integrated assurance x 
Executive 29.5 48 £526 Business and corporate planning x 
Associate 6.5 11 £375 Preparing for future budget cuts x 
Total 61 100% Project Eagle — lessons learnt x 
*Our contract establishes that our rates are subject to annualreview. In line with Wsupeott 
general inflationary increases in professional services costs (largely staff costs) we Finance system project assurance x 
propose a small increase to our underlying rates of 2⁄2 % Governance and decision making x 
Risk management and horizon scanning x 
IT service management X 
Applying the staff mix set out above, our fees for 2016-17 will therefore be ea EE 7 
£45,100 exclusive of VAT. This is more than the 2014/15 budget EOE 5; 
(£31,140) due to the plan is larger than 2015-16, (61 days compared to 47), 
more senior and IT staff involvement due to the nature ofthe reviews Mite procurement peels teat 5 
planned and the rate increases. Rayrall and! pensions ž 
Total of plan (days) 54 39.5 47 
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A ICO risk register 


We set out below the alignment of what the ICO sees as its key risks (the major risk groups) and the associated Internal Audit reviews. 


Summary information — as per ICO risk register (January Covered in 2016-17 Elements of risk within scope 
2016) Internal Audit Plan 


The ICO is perceived not to be relevant to the information rights Stakeholder engagement review — ensure stakeholder needs are 
nes issues of the day by its stakeholders (the public, media, politicians being met by focusing resources on the right areas. 
and organisations). Yes 


Investigations — review to establish that investigations are 
effectively managed and addressing the balance between 
thorough investigations and maximising the use of resources. 


Horizon The ICO does not identify key information rights trends and issues yi GDPR project review — establish how the ICO is preparing for the 
scanning e oe not successfully scanning the horizon (“looking for es additional responsibilities for GDPR 
rouble”). 
Resources The ICO is not adequately resourced (money, people and IT) or IT Service Delivery — ensure that ICO is meeting its user needs 
does not make efficient use of its resources. from IT services and that the new IT services contract incorporates 


any findings from the review. 


People strategy — confirm that the ICO has is addressing 
resourcing needs and will be ready to take on new responsibilities. 


Fines recovery — ensure the cost of recovering fines is 
proportionate to the income from them but also considers the 
important message of recovering fines. 


Change The ICO is not prepared for change, both internal (the next y GDPR project review — establish how the ICO is preparing for the 
Commissioner), legislative (the EU DP reforms and the Burn’s es additional responsibilities for GDPR 


Commission) and political (government priorities and initiatives). 


Yes 
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